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Abstract 

The paper proposes and studies temporal logics for attributed words, 
that is, data words with a (finite) set of (attribute, value)-pairs at each 
position. It considers a basic logic which is a semantical fragment of the 
logic LTLf of Demri and Lazic with operators for navigation into the 
future and the past. By reduction to the emptiness problem for data 
automata it is shown that this basic logic is decidable. Whereas the 
basic logic only allows navigation to positions where a fixed data value 
occurs, extensions are studied that also allow navigation to positions with 
different data values. Besides some undecidable results it is shown that the 
extension by a certain UNTIL-operator with an inequality target condition 
remains decidable. 



1 Introduction 

Motivated by questions from XML theory and automated verification, exten- 
sions of (finite or infinite) strings by data values from unbounded domains have 
been studied intensely in recent years. Various logics and automata for such 
data words have been invented and investigated. 

A very early study by Kaminski and Francez |17j considered automata on 
strings over an "infinite alphabet" . In [7] , data words were invented as finite 
sequences of pairs (a, d) , where a is a symbol from a finite alphabet and d 
a value from a possibly infinite domain. In [5] multi-dimensional data words 
were considered where every position carries N variable valuations, for some 
fixed N. Similar models can be found for instance in [5] and other work on 
parameterized verification. More powerful models were investigated in [TO] and 
[T3] where every position is labeled by the state of a relational database, i.e., by 
a set of relations over a fixed signature. 
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For the basic model of data strings with one data value per position a couple 
of automata models and logics have been invented and their algorithmic and 
expressive properties have been studied. On the automata side we mention 
register automata [T7J[E1[22] (named finite memory automata in [T71 [5]), pebble 
automata [HI HI] , alternating 1-register automata jT3] , data automata [5] (or 
the equivalent class memory automata [3J). 

On the logical side, classical logics like two- variable first-order logic [5] have 
been studied and recently order comparisons between data values have been 
considered [301 [53] ■ The satisfiability problem for two- variable first-order logic 
over data words is decidable if data values can only be compared for equality but 
positions can be compared with respect to the linear order and the successor 
relation [5 . However, the complexity is unknown. It is elementary if and 
only if testing reachability in Petri nets is elementary as well [5]. The proof 
of decidability uses data automata, a strong automata model with decidable 
non-emptiness . 

More relevant for this paper are previous investigations of temporal logics on 
data words. A pioneering contribution was by Demri and Lazic [12] (the journal 
version of [11]) which introduced Freeze LTL. In a nutshell, Freeze LTL extends 
LTL by freeze quantifiers whicfQ allow to "store" the current data value in a 
register and to test at a possibly different position whether that position carries 
the same value. Freeze LTL has a decidable finite satisfiability problem if it is 
restricted to one register (LTL|) and to future navigation, but the complexity 
is not primitive recursive. With one register and past (and future) navigation 
it is undecidable. In [16] it is shown that these lower bounds even hold if only 
navigation with F and P (but without X) are allowed. 

In |12j . also a restriction of LTLj, simple LTh\ , was investigated and it 
was shown that it is expressively equivalent to two- variable logics. The restric- 
tion requires that (syntactically) between each value test and the corresponding 
freeze quantifier there is at most one temporal operator and it disallows Un- 
til and Since navigation but allows past navigation. Thanks to the (effective) 
equivalence to two- variable logics, simple LTL^ is decidable. 

One of our aims in this paper was to find a decidable temporal logic on 
data words with past navigation that is more expressive than simple LTLj. In 
particular it should allow Until navigation with reference to data values. On the 
other hand, the logics we study are semantical fragments of LTL^. Furthermore 
this work was motivated by the decidable logic CLTL° for multi-attribute data 
words [10] , It allows to test whether somewhere in the future (or past) a current 
data value occurs and it can compare data values between two positions of 
bounded distance. The logics proposed in this paper are intended to have more 
expressive power than CLTL° while retaining its decidability. 

1 We note that the freeze quantifier itself was used already in [9] and in previous work, e.g., 
in [I]. 
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Contribution 

We propose and investigate temporal logics for multi-attribute data words. An 
attributed word is a string which can have a finite number of ( attribute, value)- 
pairs at each position (in the spirit of XML) and has propositions rather than 
symbols (in the spirit of LTL). 

We first define Basic Data LTL which mimics the navigation abilities of sim- 
ple LTL|, if only positive register tests are used. As sequences of such navigation 
steps do not do any harm we drop the requirement to freeze the data value at 
every step and replace freeze quantifiers by a class quantifier which restricts a 
sub-formula to the positions at which this data value appears. We show that a 
slight extension of this logic captures simple LTL j (Proposition [5]) and that it 
is decidable (Theorem [2]). Although strictly more expressive than CLTL°, the 
decidability proof for Basic Data LTL is conceptually simpler than the proof 
given in |10j . It uses an encoding of multi- attribute words by data words and a 
reduction to non-emptiness of data automata. A similar multi-attribute encod- 
ing has already been used in [T3] . The result generalizes to attributed ui- words 
(Theorem [3|). Some obvious extensions (by navigation with respect to two data 
values or Until navigation where intermediate positions can be tested by data- 
free formulas) are undecidable (Theorems 0] and respectively). 

Finally, we add a powerful Until-operator to Basic Data LTL, which allows 
to navigate to a position with a data value that is different from the value of 
a given attribute at the starting position. Furthermore, it can test properties 
of intermediate positions by arbitrary sub-formulas and can even test (in a 
limited way) whether intermediate positions have attribute values different from 
or equal to the value on the starting position. The resulting logic can express 
all properties expessible in two-variable first-order logic and contains the Until 
operator. That this logic is still decidable is the main technical contribution of 
the paper. 

The paper is organized as follows. In Section [21 we define attributed words 
and Basic Data LTL and give some example properties. In Section [3l we com- 
pare Basic Data LTL with other logics. Section [4] shows that Basic Data LTL 
is decidable and presents undecidability results for some extensions. Section [5] 
introduces the extended Until operator and shows decidability of the resulting 
logic. It also shows (the simple fact) that an Until-operator that navigates with 
respect to equality and allows (only) data-free intermediate tests quickly leads 
to an undecidable logic. We conclude in Section [6] 

Related work 

We discussed many related papers above. Another approach, combining tem- 
poral and classical logics, was studied in [14] . It allows to navigate by temporal 
operators and to evaluate first-order formulas in states. Properties depending 
on values at different states can be stated by global universal quantification of 
values. In [6] a first-order logic on multi-dimensional data words was studied. 
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2 Definitions 

We first fix the data model and define BD-LTL afterwards. Finally we give an 
example that illustrates the way in which properties can be expressed 

2.1 Attributed words 

Let P1ZOV and ATT be (possibly infinite) sets of propositions and attributes 
and T> an infinite set of data values. An attributed word w is a finite word where 
every position carries a finite set {pi, . . . ,p{\ of propositions from V1ZOV and a 
finite set {(ai, d\), . . . , (dfc, dk) \ a,i ^ aj for i ^ j} of attribute- value pairs from 
ATT x V. 

Given an attributed word w we denote the proposition set of position i in w 
by w[i].V. A position i is a p-position if p G wjzJ.'P. By w[i].@a we denote the 
value of attribute a on position i. If position i does not carry attribute a, then 
w[i].@a = nil D. The word projection of an attributed word w = ui\ . . .w n 
is defined by striw) := w[l].V . . . w[n].V. By posd(w) we denote the set of class 
positions of d in w, that is, the set of positions of w with at least one attribute 
with value d. The class word classd{w) of w with respect to d is the restriction 
of w to the positions of posd(w). 

We always consider sets of words over some finite set V of propositions and 
a finite set V of attribute^. We call an attributed word w V '-complete for a 
finite set V C ATT if every position of w has exactly one pair (a,d a ) for each 
a G V. A {a}-complete word is called 1-attributed word . We refer to the value 
of attribute @a at a position i in a 1-attributed word as the data value of i. 
There is an immediate correspondence between data strings (that is, sequences 
of (symbol,value) pairs) and 1-attributed words. Thus, we use in this paper 
automata and logics that were introduced for data strings also for 1-attributcd 
words. 

Attributed w-words arc defined accordingly. 

For i,j G N with i < j we denote the interval {i, i + 1, . . . j } by [i, j]. As 
usual we use round brackets to denote open intervals, e.g., [3, 5) = {3, 4}. 

2 As we will use A for automata we use V here: Variables. 
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2.2 Basic Data LTL 

The logic Basic Data LTL (abbreviated: BD-LTL) has two main types of for- 
mulas, position formulas and class formulas, where, intuitively, class formulas 
express properties of class words. We first state the syntax of the logic and give 
an intuitive explanation of its non-standard features afterwards. 

We fix a finite set V C V1ZOP of propositions and a finite set V C ATT of 
attributes. 

The syntax of position formulas ip and class formulas ip of BD-LTL (over V 
and V) are defined as follows. 

ip ::= p\^ip\ip\/ip\Xip\Yip\ ipXJip | ipSip | C 5 @a ip 

ip ::= tp \ @a\ ^ip \ ipV ip \X=ip \Y=ip \ ipV = ip \ ipS = ip 

Here, p 6 V, a 6 V, S £ Z. Intuitively, the quantifier C @a tp restricts the 
evaluation of ip to the class word induced by attribute a at the current position. 

Next we define the formal semantics of position formulas. Let w be an 
attributed word and i a position on w: 

• w, i \= p if p € w[i].P; 

• w, i \= -up if w, i \£ ip; 

• w, i \= (p i V <p>2 if w, i \= ipi or w, i \= ip2', 

• w, i \= Xip if i + 1 < |w| and w, i + 1 |= 

• w,i \= ip%U(p2 if there exists & j > i such that w, j ^= ip2 and j' |= <^x 
for all f e 

• iw, i |= if u>[i].@a ^ nil, i + S G [1, |w|], and io, i + 5, w[z].@a |= ^. 

The operators Y and S are the past counterparts of X and U respectively. Their 
semantics is defined analogous!;^. 

Next, we define the semantics of class formulas. Let w be an attributed 
word, i a position on w and d a data value. 

• w, i, d \= ip if w, i (= ip; 

• w,i,d \= @a if «;[«]. @a = d; 

• w,i,d \= X = ip if there exists a j e posd(w) with j > i, and for the smallest 
such j it holds w, j, d \= ip; 

• w,i,d \= ipi U = ip2 if there exists a j £ posd{w) with j > i such that 
u>, j, d |= <y^2 and w, fc, d \= ipi for all k £ posd(w) D [i, j). 

3 To avoid ambiguity: pSg holds if there is a ij-position in the past and at the intermediate 
positions p holds. 
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For the past class operators Y and S the semantics is defined analogously 
and the semantics of the Boolean connectors is as usual. Finally, w \= ip, if 
w, 1 |= ip. Wc denote the set of positional formulas by BD-LTL. 

Besides _L and T we use the following usual abbreviations: 

Ftp := TXJp Gp := -F-xp Pp := TSp Up := -P-xp 

The abbreviations F = and G = and their past counterparts are defined analo- 
gously. Furthermore, we abbreviate C@ a @6 by @a = X s @b. 

2.3 Example: a simple client/server scenario 

The following example illustrates how properties can be expressed in BD-LTL. 

Consider an internet platform that uses ui servers Si, . . . , S m to process 
queries from clients. Every client shall have a unique client number. As we 
do not know beforehand how many clients will use the platform, we model the 
client numbers by the set T> = N. 

Each of the servers can either idle, be queried by a client or serve the answer 
for a query. For server j, the actions are modelled by the set of propositions 
{qj, Sj, ij}. Runs of the internet platform can now be represented by an at- 
tributed word with attribute set ATT = {Si, . . . , S m } and set of propositions 
Ui<j<m{9jj s i' That a server Sj shall perform exactly one action from 
{qj, Sj,ij} at any given time, can be easily expressed by a BD-LTL- formula. 

Let us look at an example system with three servers A, B and C . An example 
run represented as an attributed word could look as follows. 



Pos 


1 


2 


3 


4 


5 


6 


Props 


{q A ,qB,ic} 


{q A ,qB,qc} 


{sa, qB,sc} 


{sa, SB,ic} 


{iA,s B ,qc} 


{lA, SB, Sc} 


A 


1 


2 


2 


1 






B 


2 


3 


4 


2 


3 


4 


C 




1 


1 




2 


2 



Here, e.g., at position 5 server A is idling, server B is serving client 3 and 
server C is queried by client 2. Properties of runs can be expressed by BD-LTL 
formulas: 



• A client can query a second time on a server only after the first query has 
been served: 

A G(« z ->C oz ((@Z->-g z )U=(@ZA« z ))) 

Ze{A.B,C} 

• A server Z can serve a client only if there is an unanswered query by that 
client (i.e. the last action by that client on Z was a query): 

A G(s z -> C @Z ((^@Z)S=(@Z A q z )))) 

Ze{A,B,C} 

• A client with an open query on server A shall only be allowed to query 
server C until server A answered the query: 

G(q A -> C @A (^@B A X=((-.(« A A A) A ->( te A B)) U= s A ))) 
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3 Expressiveness of BD-LTL 



In this section we will give a short overview of established logics on strings 
with data values and outline how BD-LTL fits in. We give a short introduction 
to freeze LTL and CLTL°, see [12] and [TU] for more details. Afterwards we 
compare these two logics to BD-LTL. 

3.1 BD-LTL versus LTLj 

Freeze LTL is an extension of LTL for data words by a freeze quantifier that 
binds the data value of the current position to a variable (aka register) and 
allows to compare the value of a position with the value bound to a variable. 
Satisfiability for freeze LTL is undecidable even for two registers [Hj, therefore 
[T2"] proposed the 1-register fragment LTL|. In the framework of 1-attributed 
words, formulas of LTLj are of the form 

tp ::= p | \,ip |t| -«p | <f A if | Xip | Y(p \ (pU(p \ (pSip. 

The formal semantics of LTLj (on data strings) can be found in 12 . We 
illustrate it by a simple example: the formula G(p —> (|F(g A f))) expresses 
that each p-position has a future (/-position with the same data value. 

In |12j . the fragment simple LTLj was invented, where at most one tem- 
poral operator is allowed between the the freeze quantifier J. and a value test 
t- Furthermore, only the unary temporal operators X fc , Y k , X fe F, Y fc P, k e N 
are allowed. Here, X fc F is considered a single operator, that is |X fc Ft is an 
allowed formula. The relative expressive power of BD-LTL and LTLj can be 
summarized in the following two propositions. 

Proposition 1 Every property of 1-attributed words that is expressible in BD-LTL 
can also be expressed in LTL\. 

The statement also holds for all extensions of BD-LTL considered in Section [5l 
Note however, that LTLj is undecidable whereas BD-LTL and its main extension 
in Section [5] are decidable. 

Proposition 2 The following logics are equivalent on 1-attributed words 
(i) Simple LTL\ 

(ii) BD-LTL without Until and Since extended by F^ and P^. 

Here, F^<p intuitively navigates to a future position of distance > 8 with a 
different data value and evaluates cp there. In the notation of Section [5] it is 
an abbreviation for TU@ a (@a A tp). Note, that an analogous operator Flip for 
equal data values can be simulated by C@ a F = tp. The proof of both propositions 
is straightforward and therefore omitted. 
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3.2 BD-LTL versus CLTI/ 



Temporal logic of repeating values (CLTL ) was introduced in |10j . CLTL°- 
formulas are of the form ip ::= x = X s y \ x — oy \ ip A ip —up \ Xtp \ ip\Jip \ Yip 
(pSip, where x, y are from a set of variables. A CLTL°-formula with variables 
{a:i, . . . , x m } is evaluated on sequences of m-tuples of data values (without labels 
from a finite set) but the extension to {x\, . . . , x ln }-complete attributed strings 
is straightforward. A formula x = X s y tests whether component x of the 
current position has the same data value as component y of the <5-next position. 
A formula x — oy is true if there is a (strict) future position with the same 
data value on component y as the current position has on component x. The 
semantics of all other operators is as usual. 

The following proposition is straightforward, since x = oy and x = X s y can 
be encoded by C@ x X = F = @y and C@ x @y, respectively. 

Proposition 3 On {x%, . . . , x m }- complete attributed words BD-LTL is strictly 
more expressive than CLTL^ . 

4 Decidability of Basic Data LTL 

In this section we show that satisfiability for BD-LTL over attributed words is 
decidable. The proof is by a reduction to the satisfiability problem for BD-LTL 
over 1-attributed words (Subsection 14.21) and a reduction of the latter to non- 
emptiness of data automata (Subsection 14. lj) . In Subsection 14.31 we extend our 
decidability result to a;- words. In Subsection 14.41 we show undecidability for two 
extensions of BD-LTL. 

4.1 Basic Data LTL over 1-attributed words is decidable 

The proof of decidability of satisfiability over 1-attributed words uses register au- 
tomata (we follow [3]) and data automata j5]. Non-emptiness for data automata 
is decidable J5 . They are strictly more expressive than register automata and 
for every register automaton an equivalent data automaton can be effectively 
constructed j3] ; furthermore data automata are closed under intersection, union 
and letter-to- letter- projection [5]. 

Register Automata 

In |17| Kaminski and Francez introduced Finite-Memory Automata which work 
on sequences of data values only but their generalization to 1-attributed words 
is straightforward. These automata have later been studied in [12] and [22] 
where they are called Register automata. Register automata are equipped with 
a constant number of registers in which they can store data values which can 
later be compared with the data value of the current position. We refer to the 
definition in [3]. 
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A register automaton over a finite alphabet E is a tuple 1Z = (E, 5, s , fe, r , 7r, F), 
where Q is a finite set of states, so is the initial state, k is the number of regis- 
ters, To : {1, k} — > {_L} is the initial register assignment (_L ^ V indicates an 
empty assignment), tt is a finite set of transitions and F C 5 are the accepting 
states. The transition set it consists of compare transitions (i, s, a) — > s' and 
store transitions (s, a) — > (s', i), for z G {1, fc}, s, s' € 5, and a G E. 

A configuration of 7?. is a pair (s, r), where s£S and r : {1, fc} — > 2?U{_L} 
is a register assignment. The initial configuration is (sq,tq). A read transition 
(i,s,a) — > s' can be applied if the current state is s, the next input set is a and 
the next input data value is already stored in register i. It takes the automaton 
from configuration (s,t) to (s',t). A write transition (s,er) — > (s',i) can be 
applied if the current state is s, the next input symbol is a and the next input 
data value d is currently not stored in any register. It takes the automaton from 
a configuration (s,t) to (s',t'), where r'(«) = d, and r'(j) = r(j) for all j ^ i. 

A run of register automaton over — 2 V with V C V1ZOV on an 1- 
attributed word w with | w| = n is a sequence (so, To), . . . , (s n , r ra ) of config- 
urations, defined in the obvious way. An attributed word w is accepted by a 
register automaton 1Z if there exists a run (sq,tq), . . . , (s„, r„) of 1Z on w with 
s„ G F. 

Data Automata 

_Da<a automata were introduced in [5] and have later been studied in, e.g., [3]. 

A data automaton A = {B, C) over a finite alphabet E consists of a &ase 
automaton B and a cZass automaton C. 

• B = (E, Tg, Sg, sog, n B, Fb) is a nondeterministic letter-to-letter string 
transducer with input alphabet E, output alphabet Tg, an initial state 
Sog £ £>Bi a transition relation C Sg x E x Tg x and a set Fb C S& 
of accepting states. In each step B replaces the current label a G S with 
a symbol 7 G Tg. 

• C = (Ts, Qc, soci n c, Fq) is a nondeterministic string automaton with in- 
put alphabet Tb, an initial state Soc G Qc, a transition relation ttq C 

x Te x <Sc and a set Fc C 5c of accepting states. 

An 1-attributed word w of length n is accepted by A — {B,C} over E = 2 V 
where V C VIZOV if there is an accepting run of £> on str(w), yielding an 
output string 71 . . .j n , such that, for each set pos w (d) — ...,ik) Q {1, ■•■,«.} 
of class positions with d occurring in w and i\ < . . . < ik the class automaton 
accepts 7i t . . . 7 ifc . 

We denote the set of words accepted by a data or register automaton A by 
C(A). 

Theorem 1 Satisfiability for BD-LTL on 1-attributed words is decidable. 

Proof. Let ip be a BD-LTL formula over a proposition set V and the attribute 
set {a}. 
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In the following we often call 1-attributed words simply words. Our automata 
will expect instead of words w over P extended words w' with additional propo- 
sitions. First, w' allows the subformulas of ip as propositions. The intention is 
that a position i of w' is marked with ip if and only if w, i (= ip. Furthermore, we 
use propositions — r for every r S {— N, ...,—1,1,..., N}, for some N that is at 
least as large as every 5 occurring in ip. Proposition = r shall hold at position i 
if and only if w[i].@a = w[i + r].@a. Whether these propositions are correct in 
a given w' can be easily tested by a register automaton. 

We call an extended word w' valid if the propositions = r are as intended and 
each position i carries exactly those formulas holding at i in w. The word w' is 
valid with respect to a subformula if; of ip if i/j is a proposition or w' is consistent 
with respect to the maximal strict subformulas of ip. As an example, a word is 
valid with respect to ip = ip\\Jip2 if for each (^-position i there is a (^-position 
j > i such that all positions k, i < k < j are marked by <p\. 

Clearly, each word w has a unique valid extension. Thus, ip is satisfiable if 
and only if it has a valid extension w' in which position 1 carries the proposition 

We show in the following that from a BD-LTL formula a data automaton 
Atp can be constructed that checks whether an extended word w' is valid. The 
statement of the theorem then follows from the decidability of non-emptiness of 
data automata. 

To this end, we construct for each subformula ip of ip a data (or register) 
automaton A'^ that decides whether a given word is valid with respect to ip 
under the assumption that it is valid with respect to all strict subformulas of ip. 
By intersecting all these automata and intersecting the result with a register 
automaton that tests that the = r propositions are correct and an automaton 
that tests whether position 1 carries ip, we obtain A v . 

The construction of A'^ is straightforward for formulas of the types p \ ~^ip \ 
ip V ip | Xtp | Yip | tpVip | ipSip. Basically, these automata do not need a class 
automaton. The construction is equally straightforward for all types of class 
formulas. In these cases, basically only class automata are needed. To deal 
with the (5-shift in formulas of the form C s &a ip we use the propositions =,.. E.g., 
to validate with respect to tp = C@ Q F = x at position i, the class automaton 
of A'^p infers from the =. r propositions how many positions the class word has 
between i and i + 7, then it skips these positions and starts searching for a 
X-position from there. Q 



4.2 Basic Data LTL is decidable 
Theorem 2 Satisfiability for BD-LTL is decidable. 

Proof. Thanks to Theorem [T] it suffices to reduce the satisfiability problem for 
BD-LTL to the satisfiability problem for BD-LTL on 1-attributed words. That 
is, for a given BD-LTL formula \, we construct a BD-LTL formula x' such that 
x' holds for some 1-attributed word if and only if x holds for some attributed 
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rfi 


d 2 


d 
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d 2 


d 3 


6?4 



Figure 1: How an attributed word w with two attributes is encoded as 1- 
attributcd word w' . 



word. Therefore we use an encoding of attributed words by 1-attributed words 
that has been introduced in [13]. 

Let V and V = {ai, . . . , a m } be the set of propositions and the set of at- 
tributes used in x, respectively. The set of propositions used in x' is PUVU{i?}. 

The intuition is that every position i of a model w of \ is encoded by a 
block of m positions in a model w' of x' ■ Position j in the i-th block of w' thus 
represents attribute a,j of the ith position of w. However, as some positions in w 
might not carry values for all attributes, the positions corresponding to existing 
attributes are marked by proposition R (see Figured] for an example). 

The formula x' constructed from x is of the form ^structure A t(x) where 

• ^structure makes sure that the 1-attributed word is well-formed, that is, it 
is a concatenation of blocks of length m, where, in each block, the j-th 
position has proposition attj (and no other attfc) and all positions carry 
the same propositions from V, and 

• t(x) is obtained from x by a straightforward inductive construction. 

The translation t makes use of additional translations tj and i max - More 
precisely, 

3=1 

and 

rn > m — i ra — i \ 

WO) = V ( att * ^ V = X5@a A A = XS ' @ ^ ^ X ^) ) ' 

Here, we use @a = X s @a as an abbreviation for C@ a (RA@a). Intuitively, ti(ip) 
is a formula which first navigates to the i-th position of the current block and 
evaluates (p. Likewise, t max (<p) is a formula which first navigates to the last 
position of the current block with the same (active) data value and evaluates tp. 
The inductive translation t of positional formulas x is defined by 

• t(p) :— p for all p G V 
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• t{-«p) := -<b{<p) 

• t(ipVip) := t(ip) yt{ip) 

• t(X(p) := X m t(<p) 

• t(ipVip) := t(ip)\Jt(ip) 

• t(@a t = X k @ aj ) := U(@a = X km+ ^-^@a) 
. t(C @ai ip) :=t,(JJ A <(*>)) 

for all i,j s {1, . . • , m}. Translations of the positional formulas for the past are 
analogous. 

Now we give the translation for class formulas. Here, the basic idea is that 
each navigation step ends at a position with the currently frozen data value. 

• t(@ aj ) := V™i(att, -> (@a = X^ l @a)) 

• t(-«p) = ^(v) 

• t(<p V ij)) = t((fi) V t(ip) 

. t(X»=W(X=(niJU=(iJA%)))) 

• t(<p\J= ip) = {R^r t(tp)) U=(i? A t(i/0) 

The translations for the past operators are analogous. The correctness of the 
reduction is straightforward. 

□ 

The complexity of the satisfiability problem for BD-LTL over 1-attributed words 
is probably very bad. As for two- variable logics [5], it is (efficiently) interre- 
ducible with the reachability problem for Petri Nets [T3] . 

4.3 BD-LTL on infinite attributed words is decidable 

Over attributed cj-words BD-LTL remains decidable. First, we observe that the 
mapping used in Theorem [2] works also for the infinite case, i.e. the satisfiability 
problem for BD-LTL over attributed ui- words is reducible to the satisfiability 
problem over 1-attributed w-words. Hence, it remains to prove the decidability 
for the latter problem. We do this by a reduction to the non-emptiness problem 
for data w-automata which is shown to be decidable in 5 a . These automata are 
defined analogously to data automata. We only describe the differences here. 
A data w-automaton A — (Bi n f,C,Ci n f) consists of a base automaton Kj n / 
which is a Biichi letter-to-letter transducer with output over some alphabet F, 
a finitary class automaton C which is a finite string automaton over F and an 
infinitary class automaton Cj„f , which is another Biichi automaton over T. An 
1-attributed w-word w is accepted if the base automaton has an accepting run 
over the string projection of w with output 7172 . . . such that for every finite 
class %i < . . . < i m the string 7^ . . . 7i m is accepted by B and for every infinite 
class ii < 12 < • • ., the w-string 7^7^ ... is accepted by Km/- 
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Theorem 3 Satisfiability for BD-LTL on attributed ui-words is decidable. 

Proof. (Sketch) The proof is by reduction to the non-emptines problem for 
data w-automata and is along very similar lines as that of Theorems Q] and 
[2j By applying the mapping given in Theorem [2] we first make a reduction to 
the satisfiability problem for BD-LTL on 1-attributed w-words. Then, given a 
BD-LTL formula (p defined on {a}-complete attributed words we can construct 
a data ^-automaton which is non-empty if and only if ip is satisfiable. The 
automaton AL that checks whether a given word is valid with respect to a 
formula tji differs from its counterpart in the finite case, basically, only for -0 — 
(fiU(p2 or ip — ipi U = if2- The difficulty is to ensure that whenever tp occurs the 
formula ip 2 definitely occurs in future. But these cases can be handled easily 
using classical techniques in automata construction for temporal logics on uj- 
words [25]. For a formula if> — (piVip? the automaton AL checks that the input 
word has a suffix where either positions labeled with ipi\J(p2 and ip 2 or positions 
labeled with ->((fiUip2) occur infinitely often. The acceptance condition for the 
class operator U = is defined analogously. Q 

4.4 Undecidable Extensions 

Extensions of BD-LTL quickly yield undecidability. We consider two such ex- 
tensions here. 

BD-LTL with Navigation along Tuples 

We extend C @a to a quantifier C@ at m that 'freezes' the values d a and db of the 
attributes a and b, respectively. Operators X = ,Y = ,U = and S = in the scope 
of C@ a! @f, then move along positions that have attributes with data values d a 
and db- At such positions the values of tuples of attributes can be tested for 
equality with (d ai db). For example the property 'there is a future position with 
proposition p where attribute c carries the same data value as attribute a at the 
current position, likewise for d and V can be expressed by C@ a @&i ?= ((@c, @d) A 
p)- 

However, already a restricted version of this extension is undecidable. We 
consider the operators X@ aj <ab and Y@ aj @b- Let the semantics of X@ ai @b be 
defined by w,j |= X@ a ,@b</2 if there is a j > i with w[«].@a = w[j]Ma and 
w[i).@b = w[j].@b and for the smallest such j it holds w,j \= tp. The operator 
Y@ aj @b is defined analogously. 

Theorem 4 BD-LTL extended by the operators X@ 0j ©h and Y(a a ,@& is undecid- 
able on finite (or infinite) attributed words. 

Proof. The proof is along the lines of Proposition 27 in [5] . For the convenience 
of the reader, we sketch the proof. 

We reduce from the Post Correspondence Problem (PCP) which is defined 

by 
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Problem: PCP 

Input: (m,vi), . . . , (u k ,v k ) eS'xS* 
Question: Is there a non-empty sequence (u^ , ) , . . . , , Vj n ) such 
that . . . u in — v il . . . Vi n ? 

Given a PCP P we construct a BD-LTL formula <p>p using the operators 
X@ a ,@b and Y@ 0j @;, such that there is a valid sequence for P if and only if ipp is 
satisfiable. We can assume w.l.o.g. that if there is a valid sequence for P, then 
there is one of odd length. 

Let P := (ui,v\), . . . ,(uk,Vh) G E* x S*. Then ipp uses the propositions 
E x £ where E := {ct | <t e E}. 

A valid sequence (u^ , ) . . . (uj n , ) of odd length for P is mapped to an 
attributed word w such that: 

(1) Every position of w bears exactly one proposition and the word projection 
of w is of the form Ui 1 Vi 1 . . . m n Vi n . 

(2) The attributes a and b are present at all positions and the data values of 
the attributes a and b for the word u := u il . . . u in are of the form 



(d?, d\)(d1, 4)(d$, 4),..., KU, d h n ),{d a n ,d h n ). The same for the word 



(3) In u := Ui ± . . . Ui n all values of attribute a occur exactly twice, except for 
the value of a at the last position of u. Similarly all values of attribute 
b occur exactly twice, except for the value of b at the first position of u. 
The same holds for v := . . . Vi n . 

(4) Every pair (d a , c4) of data values for the attributes a and b occurs exactly 
twice, once in u and once in v and the position in u is labeled by a if and 
only if the corresponding position in v is labeled by a. 

Note that conditions (2)- (4) ensure that u = v', where v' results from v by 
replacing every a in v by a. 

The first three properties can be checked easily by a BD-LTL formula. Con- 
dition (4) can be checked using the additional operators: 



v := v i± . . . vi 




A 
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BD-LTL with From-Now-On Operator 

The from-now-on-oper&tor N introduced in [T8] restricts the range of past 
operators. For an attributed word w — w\ . . . w n and a position i of w let 
sufi(w) := u>i . . . w n be the suffix of w starting at position i. The semantics of 
N is then defined by 

• w,i \= N</? if sufi(w), I \= <p 

Theorem 5 BD-LTL extended by the operator N is undecidable on finite (or 
infinite) attributed words. 

Proof. For technical reasons, we prove that BD-LTL with the operator N, the 
dual on N is undecidable. For an attributed word w = w\ . . . w n and a position 
i of w let prei(w) := w\ . . . Wi be the prefix of w ending at position i. The 
semantics of N is then defined by 

• w, i |= Nip if prei(w),i \= ip 

As BD-LTL is symmetric with respect to the availability of future and past 
operators, undecidability of BD-LTL with N follows from the undecidability of 
BD-LTL with N. 

The proof is by a reduction from the nonemptiness problem for Minsky two 
counter automata [2"T] . 

A Minsky 2-CA is a finite automaton equipped with two counters C\ and 
Ci. With each transition of the automaton a counter action is associated. In 
a counter action a counter can be incremented or decremented by 1 (inci, inc2, 
deci, dec2) or counter can be tested for (ifzeroi, ifzero2). Initially, both 
counters have the value 0. The semantics is straightforward. If a counter i has 
value a transition with a dec^-action can not be applied. A transition with a 
ifzeroi action can only be applied if counter i is 0. 

It is well known that the emptiness problem for Minsky 2-CA is undecidable 

Our reduction constructs, for every Minsky 2-CA C an extended BD-LTL 
formula ip such that L(C) ^ if and only if ip is satisfiable by a 1-attributcd 
word. We can assume without loss of generality that C only accepts if both 
counters are zero. 

We encode runs of C by 1-attributed words as follows. Each position i carries 
two propositions, one is the state of C after step i and the other the action in 
step i. As in an accepting run there are, for each i exactly as many inc^ actions 
as there are dec^ actions we can assign data values in a way such that each data 
value 

• either occurs exactly once at an ifzero-test or 

• once at an inc^ action and once at the corresponding deci-action. 

4 That is, if the first increments counter f from m to m + 1 the other is the action that 
decreases it back from m + 1 to m. 
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It is not hard to write an BD-LTL formula with the N operator that expresses 
that 

(1) successive positions are consistent with respect to the transitions of C, the 
first position carries starting state and the final position carries an accepting 
state, 

(2) every data value only occurs once at an ifzero-test or twice: once at a dec^ 
action and once at a smaller position with a incj-action, and 

(3) an ifzerOi-action never occurs between an inCj-action and the deci-action 
with the same data value. 

Note that condition (3) makes sure that an ifzerOi-action only occurs if 
counter Ci is 0. Conditions (1) and (2) can be easily expressed by BD-LTL. 
Condition (3) can be expressed by the formula 

2 

f\ G(ifzcr 0l -> NH(in Cl -> C @a F=de Cl )) 

i=l 

□ 



5 Extended Navigation 

As already discussed before, the navigational abilities of BD-LTL are limited. 
It seemingly cannot even express the simple property that for every p-position 
i there is a q-position j > i such that w[j]Mb ^ w[i]Ma. Furthermore, in class 
formulas pU = r, the formula p can only refer to positions of the current class. Of 
course, it would be desirable to allow more general forms of "Until navigation" . 

In this section we discuss different possibilities to extend the navigational 
abilities of BD-LTL in an "Until fashion" , some of which are decidable and some 
undecidable. In particular, we exhibit an U-operator with the ability to navigate 
to a position with a different attribute value and to state some properties on 
(all) intermediate positions and show that BD-LTL remains decidable with this 
extension. The property stated in the previous paragraph can be expressed 
using this operator. 

The extensions we study allow formulas of the type pU@ a r, where 5 > 0. 
Intuitively, this operator "freezes" the current value of attribute @a and searches 
for a position j such that r holds at j and p hold everywhere in [i + S,j). In 
formulas as above, we will refer to p as the intermediate formula and r as the 
target formula. The "shift" parameter S is needed as we aim to design a semantic 
extension of simple LTLf. 

Syntactically, the formulas p and r are positive Boolean combinations of 
position formulas and positive and negative attribute tests. More formally, we 

5 We did not attempt to find a proof for this statement as we were aiming for an extended 
logic, anyway. However, we did not find a simple way to express the property. 
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define the syntax of U- sub formulas x by x ::= ip \ @b | @6 | x V X I X A X- 
Intuitively, negative attribute tests @6 check that attribute b has a value (!) 
that is different from the current frozen value. 

Thus, the semantics of formulas pU@ a r, where p and r are t/-subformulas, 
is defined by the following additional rules. 

• w,i \= /oU@ a r if there exists a j > i + 5 such that w, j, w[i].@a \= r and 
u>, k, w[i].@a |= p for all k 6 [i + 5,j) 

• tu, i, d \= @b if w[i]Mb {nil, d}. 

We simply use U(a a instead of U@ a . We remark that pU@^r, for S > can be 

expressed by (pU@ a r A A,=i Pi) V (Vj^iC 7 ^ A A l=J +i where, for A; 6 [1,<5], 
and Tfe are obtained from p and r, respectively, by replacing every position 
formula ip by Y k p, every @b by @a = y fe @6 and every @b by -i@a = Y k @b. 
It can be observed that this formula has the intended meaning (that is, the 
semantics obtained by using —5 in the above semantics definition). pS@ a T is 
defined analogously. 

First of all, we will see that the above mentioned restriction for class formulas 
pU = T is indeed crucial. More precisely, if we allow positive attribute tests in the 
target formula of a formula p U@ a r then the logic becomes undecidable even if 
the intermediate formulas are restricted to position formulas. 

5.1 Extended equality- navigation is undecidable 

Theorem 6 Let C denote the extension of BD-LTL by the formation rule p ::= 
X U<a a Xj where \ denotes U -sub formulas such that 

• all intermediate formulas are position formulas and 

• all target formulas are of the form @a A ip with a position formula ip. 

Then, satisfiability of C on finite (or infinite) attributed words is undecidable. 
This holds even for 1- attributed words. 

Proof. As in Theorem [SJ we reduce from the non-emptiness problem for 
Minsky two counter automata. 

As before, conditions (1) and (2) from the proof of Theorem [5] can be easily 
expressed in BD-LTL. Condition (3) can be expressed by the formula 

2 

A G(inc j; (-lifzerOj U@ a (@a A dec^)). 

i=l 

A slightly modified reduction works for infinite 1-attributed words. Q 
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5.2 Extended inequality navigation 

As Theorem [5] does not leave much room for extensions of U@ a operators with 
positive attribute tests in the target formula we focus on negative attribute 
tests in target formulas. However, as pU@ a (ri V r 2 ) = (pU@ a Ti) V (pUg a r 2 ) 
and position formulas are closed under conjunctions it is clearly sufficient to 
consider target formulas of the form tp A @b\ A • • • A @bk- Unfortunately, at this 
point our techniques can only deal with the case k = 1. 

We turn our attention now to the intermediate formulas p. We recall that 
in the case of positive attribute tests in target formulas even position formulas 
as intermediate formulas yield undecidability. In the case of (single) negative 
attribute tests in target formulas we can allow arbitrary intermediate position 
formulas. 

Furthermore, we can add positive and negative attribute tests, but only in 
a limited way. More precisely, we define the logic XD-LTL by adding ip ::— 
xU@ a x' I xS@ Q x'> to the formation rules of BD-LTL and requiring that 

1. X is restricted to formulas of the form p V (@b A p = ) V (@b A p^) where 
p = , p^ are position formulas and p^ logically implieqj p = , and 

2. %' is restricted to formulas of the form @6Ar, where r is a position formula. 

Intuitively, p = constrains positions where @b equals the current value of @a 
whereas constrains those where it does not. The requirement that implies 
p = is needed for the proof of Theorem [8] 

Clearly XD-LTL strictly extends BD-LTL and is contained in LTh\. Further 
it strictly extends two-variable logic on 1-attributed words. 

Following the general idea of the decidability proof for BD-LTL we first show 
decidability of satisfiability for 1-attributed words and reduce the general case 
to this one. 

5.3 Satisfiability for XD-LTL 

Theorem 7 Satisfiability for XD-LTL on finite 1-attributed words is decidable. 

Proof. The proof basically extends the proof of Theorem Q] for the new for- 
mulas. As usual, we only describe the case of U@ a -formulas. 

Note that in the case of 1-attributed words, any additional disjunct p in the 
intermediate formula can be pushed into the disjunction by or-ing it with both 
p = and . It thus only remains to show how to construct A'^ for formulas 

ip = (@a A p = ) V (@a A p^)U@ a (@a A r), where p = and p^ are position formulas 
and implies p = . 

Before we describe the construction of A[p , we first analyze the relationships 
between positions at which such a formula holds. Clearly, w,i \= (@a A p = ) V 
(@a A /9^)U@ a (@a A r) if and only if there is a position j > i + 5 such that 

(I) W,j \= T, 

6 Readers who prefer a syntactical criterion might think of a formula p~ of the form tpW . 



18 



Pos 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 














i> 


i> 








Props 








r 












T 




P = 




p = 


P = 


P^ 


p = 




P^ 


P^ 




a 


1 


2 


1 


1 


2 


i 


2 


2 


2 


3 



Figure 2: For ip = (@a A p = ) V (loA p^)U| a (@oAr), the herd of the shepherd 
at position 10 is {3,4,6,7}. Position 4 is no shepherd. Position 6 is a /9-stair 
for positions 3,4. Positions 3,4 are p-far from 10. Positions 3,4,6 are special 
for position 10, whereas there is no special position for position 4. Further 
e"(10) = 3 and e+(10) = 6. 

(II) w[j]Ma ^ w[i]Ma, and 

(III) for the minimal such j every position k £ [i + 5,j) fulfills 

(a) w,k \= or 

(b) w[k].@a = w[i].@a and w, k [= p = . 

For a given position i with w,i \= ?p we call the position j of criterion (III) 
the ip-shepherd for i. We write H(j) for the herd of j, that is the set of positions 
for which j is a -0-shepherd (see Figure [5]). A position j with H(j) ^ is also 
called a shepherd. 

With each r-position j we associate a set of special positions. They are used 
to deal with ^-positions that need (Illb) at least once (p-special positions) and 
with cases where the smallest r-position larger than some i has the same data 
value as i (r-special positions). 

• If for some i £ H{j) there is a k £ [i + S,j) such that w, k (and thus 
(Illb) holds), then we say that i is p-far for j and k is a p-stair for j and 
both are p-special for j. 

• If for some i £ H{j) there is a k £ [i + S,j) such that w, k (= r (and due 
to minimality of j thus w[k].@a — w[i].@a holds), then we say that i is 
r-far for j and k is a t -stair for j and both are t -special for j. 

We write S(J) for the set of (p- or r-) special positions for j and remark that 
S(j) does not need to be a subset of H(j). See Figure [2] for an illustration of 
these definitions. 

For technical reasons, we define the set S(j) also for r-positions with an 
empty herd. To this end, for such r-positions j we put the maximal k £ \j — 5,j) 
with w'[k].@a ^ w'[j].@a such that 

• all positions in (k, j) are p^-positions, and 

• k is a r-position or it is marked by p = but not by 
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into S(j), if such a position exists. Then we add all positions I G (j — S, k) with 
w'[£]Ma = w'[k]Ma to S(j). 

For positions j with non-empty S(j), we denote the minimal and maximal 
special positions for j by e~(j) and e + (j), respectively (see Figure ^ and call 
[e~(j), e + (j)} the special interval of j. Note that e + (j) < j and there is 
no further r-position in (e + (j) + S,j) (as such a position would contradict the 
minimality of j or would be special for j), thus j can be easily identified, given 
e + (j). If S(j) is empty, then is the empty interval. By construction, if 
H(j) = 0, the smallest element of S(j) is larger than j — 5, thus \I(J)\ < S. 

Claim 1 

All positions in S(j) have the same data value. 

For each r-position j with S(J) =/= 0, e + (j) is the largest position k < j 
with w'[k].@a ^ w'[j]Ma such that 

• all positions in (k,j) are p^ -positions, and 

• k is a r-position or it is marked by p = but not by . 

Q]p) For each r-position j with S(j) ^ 0, e~(J) is the smallest position m < 
e + (j) with w'[m]Ma = w'[e + (j)]Ma such that 

• all I G [m + S,j) — S(j) are -labeled, 

• all I € [tn + S,j) are p = -labeled, 

• there is no r -labeled position I G [m + 5,j) — S(j). 

W) \I(j)nI(j')\<Sforj^j'. 

To show Claim (fUtj) . let k be the minimal p-far position in S(j), in case 
^ 0- Clearly, all p-stairs have the same value as k and in turn all other 
p-far positions as well. If H(j) = then all positions have the same value by 
definition of S(J). A similar argument shows that all r-special positions have 
the same data value. Let now k be the maximum p-stair and / the maximum 
r-stair in S(j) and let us assume that w[k]Ma ^ w[l].@a. If k < I, I would be 
a shepherd for the smallest p-far position in S(j), contradicting the minimality 
of j. If / < k, then w[k).@a ^ w[i].@a and w,k Y= for the smallest r-far 
position, again a contradiction. 

Claim (|llb[) and (fljfc|) basically follow directly from the definitions. 

Claim (THE)) is crucial for the construction of AL as it, intuitively, implies 
that, for each part of the data word, there are at most S + 1 data values that 
require special attention by AL . To prove it we can assume that both j and j' 
have a non-empty herd as otherwise one of them has an interval of size at most 
S and the claim follows trivially. 

Let therefore j < j' be two shepherds. Let i = e~(j) , k = e + (j), i' = e~(j') 
and k' = e + (j'). We prove %' + S > k (and thus the claim) by contradiction. To 
this end, let us assume i' + S < k < j < j' . 
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Figure 3: Sketch for the proof of Claim (|llH[) . Here, S marks shepherds and d, d! 
are two different data values. 

As j' is the V'-shepherd for i' , w[i']Ma — w[j).@a (as otherwise, because of 
i' + 5 < j, j' would not be minimal). As j is the ^-shepherd for i, w[i].@a ^ 
w[j].@a. Thus, w[k].@a = w[i].@a ^ w[j].@a = w[i'].@a and therefore i'+S < k. 
See Figure [3] for a sketch of the information obtained so far. However, if k is 
p-special then for some I £ [fc, j) C [i + 6, j) it holds w[l].@a = w[k].@a and 
w,l \= p = but w,l \j= . As w[l}.@a = w[k].@a ^ w[i'].@a, j' cannot be a 
V'-shepherd for i', a contradiction. If, on the other hand, k is r-special then 
there is a r-position j" G [k,j) with w[j"].@a — w[k].@a. But then j" would be 
a shepherd for i' , contradicting the minimality of j'. This concludes the proof 
of Claim (fH)). 

To deal with the additional complication added by S, we use additional 
propositions. In the intended string, each r-position carries a proposition Tt s \, 
for exactly one s 6 {0, . . . , 5}. The herd of a shepherd marked by tv s ) is called 
s-herd and so on. Besides 77 s ) we use further propositions of the form i/)r s \, 
efs and e^^ with the intention that for each shepherd marked by T( s ), e~(j) is 
marked by e7j and e + (j) by et-, and all positions in H(j) are marked by V'(s)- 
We assume that all these propositions are already present in w' . However, the 
automaton has to test that they are as intended. 

For a valid string w' the assignment of s-values to shepherds can be done 
as follows. We assign numbers s 6 {0, . . . , 6} in a round-robin fashion to all 
positions of the form e + (j) and assign this s to the corresponding r-position 
and its herd. This guarantees that for two positions k — et s s(j) and k! = e^(j') 
with j ^ j 1 we have \k' — k\ > 5. This implies that the intervals of two distinct 
T (s) -positions are disjoint (as can be shown just the same way as Claim (|lHi[0 . 

In a nutshell, the idea for the construction of A!^ is as follows. For each 
s G {0, . . . , 6} we construct an automaton A^,i s ) that takes care of s-shepherds 
and their herds. These automata independently check that for each tu) -position 
j the corresponding e~(j)- and e + (j)-positions are correct, and guess and check 
all other positions in S(j). Given the intervals, A^u) checks that the ip( s )- and 
r( s )-markings in w' are consistent. The construction requires some more details 
to control inequality of data values sufficiently. By taking a suitable product of 
these S + 1 automata and additional auxiliary automaton (that tests, e.g., that 
the e^-positions are numbered correctly) we get the automaton A'^. 

In the following we describe the construction of hi more detail. We 
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first define, for each attributed word w' that is valid with respect to tp an 
extension w" with further propositions. Then we formulate some conditions 
that are fulfilled by such a word w" and show how they can be checked by a data 
automaton. Finally, we show that from a word w" that fulfills the conditions a 
word that is valid with respect to ip can be extracted. 

We use the additional propositions h, •, H to mark special positions in s- 
intcrvals and propositions , , , c^ to enforce some data inequality con- 
ditions. More precisely, the propositions c - *' and will help to make sure that 
every s-shepherd has a different data value from his herd and the propositions 
aT' and will be used to pinpoint the e7, positions. 

To help the reader to distinguish the various kinds of propositions we use 
the following conventions. 

• We say that positions are labeled by the propositions h, •, H. We call a 
position that is not labeled by h, • or H unlabeled. 

• We say that positions are colored by the propositions , , , c*~ . 

• For all other propositions we say that a position is marked. 

In the following the class 6 '-predecessor of a position j is the largest position 
k < j — S with w'[k]Ma = w'[j].@a. We call the class 1-predecessor class 
predecessor 

If w' is a valid word (where the propositions i~(s),ip(s),e~( s y e ^ ar e assigned 
as intended), we define its extension w" as follows. 

• For every s-shepherd j, e~(j) is labeled by h and e + (j) is labeled by H. 
All special positions between e~(j) and e + (j) are labeled by •. 

• Let j be the minimal r^-position. The positions in H (j) are colored by 

and j by . Then the following procedure decides the c-coloring for 
the remaining T( s ) -positions and their herds. Let j be the smallest re- 
position whose c^-value has not yet been decided. Position j is colored 
by c^ and all positions in H(j) are colored by c^ if and only if its class 
(5-predecessor is not colored by c^ or docs not exist. As the herds of 
different s-shepherds are disjoint this procedure is unambiguous. 

• The a-coloring is defined similarly. The first h-position k is colored by 

. All positions strictly between k and its class predecessor are colored 
by a~* . Afterwards, we proceed as follows. The minimal h-position k that 
is not yet decided is colored by unless its class predecessor is colored 
by aT*. All positions strictly between k and its class predecessor which 
are larger than the previous h-position are colored by if and only if k 
was colored by . Clearly, this procedure is unambiguous as well. 

Next, we describe the conditions that are tested by A^r s \ — {B,C). For 
notational simplicity, we take the freedom to assume that the additional propo- 
sitions are already given in the input, that is, A^( s \ reads an extended word w" 
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instead of w' . However, it is straightforward to translate this automaton into 
one in which the base automaton guesses additional propositions (by means of 
states) and sends all propositions, encoded as states to the class automaton. 
The first two conditions refer to the a- and c-colorings. 

(Col 1) ( Consistent coloring for r ) The class <5-predecessor of a T( s )-position j 
is colored by c^ if and only if j is not colored by c^ . 

(Col 2) ( Consistent coloring for h ) The class predecessor of a h-position j is 
colored by if and only if j is not colored by . 

We say that a position i is a-consistent with a position k > i if i is a^-colored 
if and only if k is a^-colorcd. Likewise for c-consistent. 
The next conditions deal with the intervals 

(Spec 1) (Global h • H pattern) In the whole attributed word, the labeled 
positions respect the pattern ((h •* H) + {h,H})*. Here, a position 
matches {h, H} if both h and H occur. 

(Spec 2) (Local h • H pattern) In each class word, the labeled positions occur in 
contiguous blocks each of which respects the pattern (h •* H) + {h, H}). 

(Spec 3) ( Correct -\-positions) A position k is labeled by H if and only if there 
is a T( s ) -position j > k and for the minimal such position j 

• all m £ (fc,j) are p^-marked and 

— k is not p^-markcd or 

— k is T( s ) -marked and 

* j is unlabeled or 

* j is labeled and there is a h-position in (k,j). 

In this case, we call j the corresponding T( s ) -position for k (and for all 
other labeled positions in the interval of k). 

(Spec 4) (Correct ^-positions) A labeled position k is h-labeled if and only if 
for its corresponding H-position m and its corresponding T( s ) -position 
j the following conditions hold. 

(A) all labeled positions in (k + 5, m] are p = -markcd, 

(B) all unlabeled positions in (fc + 5, m) are p^-marked, 

(C) all positions in (m,j) D [k + S,j) arc p^-markcd, and 

(D) one of the following conditions holds. 

(Di) There is a position i < k such that i + S < j, i + S is 
an unlabeled r-position and all positions in (i, k) are a- 
consistent with k. 
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(Dii) There is a position i < k such that i + 5 < j, i + S is not a 
p = -position and all positions in (i, k) are a-consistent with 
k. 

(Diii) There is a position i < k such that i + S < j, i + S is 
unlabeled and not marked p^ and all positions in (i,k) 
are a-consistent with k. 

(Div) None of (i)-(iii) holds and all position < k are a-consistent 
with k. 

Finally, the following two conditions shall guarantee the validity of w" with 
respect to ip. 

(Log 1) (Unlabeled ip/ s ypositions) An unlabeled position i is marked by ip/ s -\ if 
and only if there is a T7 S ) -position j > i + S and for the minimal such 
position it holds that every k 6 [i + §,j) is marked by p^ . If so, i is 
c-consistent with j. 

(Log 2) (Labeled ipi s \-positions) A labeled position i is marked by ipr s ^ if and 
only if there is a 77 s ) -position j > i+S after i's corresponding H-position 
/ and, for the minimal such j, every fee [« + £, Z] is marked by or is 
labeled and marked by p = and every k G [Z, j) H [i + S,j) is marked by 
p^. If so, i is c-consistent with j. 

Conditions (Col 1), (Col 2) and (Spec 2) express properties of the class 
words of w" whereas the remaining conditions express properties of its word 
projection. Each of these properties can be easily expressed in first-order logic 
and can therefore be checked by the class automaton or the base automaton, 
respectively. To test (Col 1) it is important that from the propositions — r it can 
be easily inferred how many positions are in the class word between a position 
j and its class (5-predecessor. Remember that — r is holds at position i if and 
only if w[i}.@a = w[i + r].@a (see proof of Theorem [TJ. 

We claim that the attributed word w" constructed above fulfills all Col-, Ex- 
and Log-conditions if w' is valid with respect to ■ For (Col 1) this is because 
every shepherd is marked by exactly if its class (5-predecessor is not colored 
by or does not exist at all. Likewise for (Col 2) and h-positions. (Spec 1) 
holds because the intervals are disjoint. (Spec 2) follows from the way the 
h • H labelings are obtained from the intervals. (Spec 3) holds by the definition 
°f e+ (j)- (Spec 4) holds because the h-positions are exactly the positions e~(j) 
and by the construction of the a^-coloring. 

That (Log 1) and (Log 2) hold follows from the validity of w' with respect 
to ?/>( s ) and the way the c^-marking is chosen. 

Before we prove correctness for the automaton defined along these lines, we 
show the following useful claim 

Claim 2 Let w" be a 1-attributed word that fulfills all Col-, Ex- and Log- 
conditions and which is valid with respect to all subformulas of ip. Then for 
each T( s ) -position j the following conditions hold. 
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fHaJ There is a -\-labeled position k for which j is the corresponding rr s -\ -position 
if and only if S(J) ^ 0. If so, there is also a corresponding {--position I, 
k = e + {j) and I — e~(j). 

@y S(J) is exactly the set of labeled points between the h and -{-position cor- 
responding to j . 

The part of Claim (f5tij) concerning e + (j) follows directly from (Spec 3), (Col 
1) and (Log 2). This implies in particular that all labeled positions in some 
interval have a different data value than their corresponding T( s )-position. 

To show that I = e~(j) we have to show that (1) I £ S(j) and (2) there 
is no smaller I' £ S(j). By (Spec 1,2) all corresponding labeled positions have 
the same data value. Therefore (Spec 4 A-C) guarantee that I £ S(j). For the 
sake of a contradiction let us now assume that there is V £ S(j) with /' < I. As 
w"[l'].@a = w"[l].@a, I' is not a-consistent with I. By (Spec 4 D) therefore one 
of the following statements holds, each leading to a contradiction. 

(1) There is an position i £ [V, I) such that i + S < j and i + 6 is an unlabeled 
r-position. But then i + S is a ^-shepherd for /' contradicting the minimal 
choice of j . 

(2) There is a position i £ [I', I) such that i + S < j and i + S is not a p = -position. 
This contradicts I' £ S(j). 

(3) There is a position i £ [/', I) such that i + S < j and i + 5 is unlabeled and 
not marked p£ . This also contradicts V £ S(j). 

Before we show that the automaton AL is indeed correct, we make precise 
what it means that a 1-attributed word w" is valid with respect to %l>u\ for a 
formula 

tp = (@a A p = ) V (la A p^)XJ^(@a A r). 

This is the case if for every position i of w" it holds that i is marked by ipr s \ if 
and only if 

(*\) there is a position j > i + 6 such that 

(I') j is marked by t (s ), 
(IF) w"[j]Ma ^ w"[i]Ma, and 

(III') for the minimal such j every position k £ [i + S,j) fulfills 

(a) k is marked by or 

(b) w"[k]Ma = w"[i].@a and k is marked by p = . 

We show now that if a 1-attributed word fulfills the Col-, Ex- and Log- 
conditions above then each of its positions i is marked by ?/v s ) if and only if (** ) 
holds. 

We first show that all ip/ s ) -positions i fulfill (**). 

We first consider the case that i is unlabeled. Let j be the corresponding 
position guaranteed by (Log 1). Clearly i and j fulfill (F) and (IIF). We have 
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to show that w"[i]Ma ^ w"\j]Ma. To this end, let k E [i,j — 5} be maximal 
with w"[k]Ma = w"[i]Ma. 

• If k is unlabeled then k fulfills the condition of (Log I) and is thus 
also labeled by V'(s)- Furthermore, it is c-consistent for j and therefore 
w"\j]Ma ^ w"[k]Ma = w"[i]Ma. 

• If k is labeled, there must be a h-position I G (i,k]. As w"[i].@a — 
w"[k]Ma — w"[l]Ma, i is not a-consistent with I. By (Spec 4D) it follows 
again the existence of an intermediate position as in (l)-(3) in the proof 
of Claim (|2a| and as there we get the desired contradiction. 

We next consider the case that i is labeled. Let j be the corresponding 
position guaranteed by (Log 2). Clearly i and j fulfill (F) and (IIF) (as all 
labeled positions in [i + 5, 1] have the same data value as i). Again, we have to 
show that w"[i]Ma ^ w"\j)Ma. Let I be the H-position corresponding to i, thus 
I G [i,j). 

• If j is labeled (Spec 3) guarantees that there is a h-position m E (I, j). As j 
is the first Tr 8 \ -position after I there cannot be any other s-interval between 
I and m. (Spec 5) and (Col 2) now guarantee w"[l).@a ^ w"[m].@a and 
thus w"[i]Ma = w"[l].@a ^ w"[m]Ma = w"[j].@a. 

• If j is unlabeled then w"[j].@a ^ w"[l]Ma — w"[i]Ma because j is the 
corresponding r( s ) -position for I. 

Finally, we show that all positions i fulfilling (**) are marked by V'fa)- 
Again, we consider first the case that i is unlabeled. In this case i $ S(j). 
Therefore all intermediate positions k £ [i + 5,j) fulfill p£ . Therefore (Log 1) 
implies that i is marked by V'(s)- 

If, on the other hand, i is labeled, i G S(j). Let I = e + (j), i.e., the corre- 
sponding H-position of i. As all labeled positions in [i + S, I) have the same data 
value as i, these positions fulfill the corresponding statement in (Log 2). Let us 
assume there is a position m E (l,j)n[i + S,j) that is not /^-marked and fulfills 
w"[m].@a = w"[i).@a. But then m is a p-stair for i and therefore m E S(j). 
Thus, (Log 2) ensures that i is ■0( s )-marked. This completes the proof. Q 

By a straightforward extension of the proof of Theorem [2] we get the follow- 
ing. 

Theorem 8 Satisfiability for XD-LTL on finite attributed words is decidable. 

Proof. It suffices to show that the construction of the proof of Theorem[2]can 
be extended for formulas of the new kind. To this end, we extend t as follows. 



2G 



t i(p V (@a, A p~) V (@a» A p^) U@ aj (@a k A r) 
*j ( (i(p)V-.att l )V(@aA J RAt(p = ))V(@^Ai?At(p^))U<a a (@^Ai?Aatt fe Ai(r)) 
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6 Conclusion 

We conclude by stating some questions that should be investigated further. We 
would be interested to understand the exact border of undecidability. At this 
point, it is not exactly clear which kinds of intermediate and target formulas 
can be allowed for U@ a . It would also be interesting to compare our logics with 
other logics that can deal with values, particularly with guarded LTL-FO of 
|14j . Further investigations could try to identify fragments with more reasonable 
complexity and try to add more arithmetics to the data domain. 
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